Description
The FastX theme for WordPress is vulnerable to unauthorized limited plugin installation and activation due to missing capability checks on the 'ultp_install_callback' and 'ultp_activate_callback' functions in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate the PostX plugin.
Published: 2026-05-22
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing capability check in the FastX theme allows Subscriber-level users to run the ‘ultp_install_callback’ and ‘ultp_activate_callback’ functions, which install and activate the PostX plugin. This flaw gives authenticated attackers the ability to introduce potentially malicious code by adding plugins they did not intend to use, thereby expanding the attack surface and potentially elevating privileges if the installed plugin contains vulnerabilities. The weakness is categorized as CWE‑862, a missing authorization issue. The impact is limited to users with Subscriber access or higher, but the installed plugin may compromise the entire WordPress site.

Affected Systems

The vulnerability affects the FastX theme for WordPress, versions 1.0.0 through 1.0.2. No specific operating system or PHP version is mentioned. Only the theme’s installation routines are affected; other WordPress core files are not listed as affected.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity. An attacker only needs legitimate Subscriber credentials and the ability to access the theme’s plugin installation interface; no remote code execution or elevated privileges are required in the initial attack. Because the exploit requires an authenticated user, the risk is confined to compromised user credentials. The EPSS score is not available, and the vulnerability has not been listed in CISA KEV, suggesting no currently known widespread exploitation. Nonetheless, the ability to install arbitrary plugins is a significant security concern, especially in managed or shared hosting environments.

Generated by OpenCVE AI on May 22, 2026 at 06:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the FastX theme to a version that includes the missing capability checks (e.g., 1.0.3 or later if available).
  • If an immediate upgrade is not possible, disable the 'ultp_install_callback' and 'ultp_activate_callback' functions or restrict the plugin installation capability to Administrator users only.
  • Regularly audit installed plugins for unauthorized additions and review theme source code for any future missing authorization issues.

Generated by OpenCVE AI on May 22, 2026 at 06:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 05:00:00 +0000

Type Values Removed Values Added
Description The FastX theme for WordPress is vulnerable to unauthorized limited plugin installation and activation due to missing capability checks on the 'ultp_install_callback' and 'ultp_activate_callback' functions in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate the PostX plugin.
Title FastX <= 1.0.2 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Installation and Activation
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-22T04:29:03.590Z

Reserved: 2026-02-15T05:47:15.710Z

Link: CVE-2026-2518

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-22T05:16:24.660

Modified: 2026-05-22T05:16:24.660

Link: CVE-2026-2518

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T06:30:29Z

Weaknesses